There was a recent report of an incident at a chemical plant in the Netherlands where this very thing happened. Alas, for the hackers, it was a defeat. In a victory for good security training, the individuals who found the suspect drives took them to their IT people rather than plugging them into the control system. They were indeed loaded with malware, specifically a keylogger that captures passwords and sends them to the hackers.